Is it acceptable to run a website which only serves on HTTPS and not HTTP. Consider situations where plain domain names are typed in address bar. Usually websites redirect the user to the HTTPS version.
There is a good reason for wanting to only provide HTTPS. Consider this scenario:
- User is a developer using a REST API to talk to server.
- User forgets the "s" at the end of "http" when posting potentially sensitive information.
- POST goes on wire with its payload on a non-secure channel vulnerable to the usual eavesdropping.
- Only after the POST is complete, does the server send a redirection code to the secure site
Best Answer
Depends on the site.
The situation that you've outlined above can only be prevented if the server doesn't accept the connection on port 80 whatsoever; a user-friendly redirect or even an error page that says "use https!" would allow for the unencrypted API request to be sent. Of course, when it doesn't work, the person making the call should hopefully notice and fix their mistake after one failed attempt - and hopefully they aren't testing with sensitive data.
Whether or not this single non-secure communication attempt is acceptable (hopefully with non-sensitive data) depends completely on your security needs.
If the site's used for API calls only, then it's just fine to leave port 80 off.
If users will be visiting the site in a browser (entering the address manually), then don't expect to be able to leave port 80 off without confusion and annoyed users.